Comware Based

HPE Switch - SSL Vulnerabilities.

 
jmpk
HPE Pro

HPE Switch - SSL Vulnerabilities.

Users may see following Plugin name or Vulnerabilities on their security assessment report . Below is example one, but the plugin name will be same for all customer

Plugin Name

SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Plugin Output:  List of RC4 cipher suites supported by the remote server :    Low Strength Ciphers (<= 64-bit key)      EXP-RC4-MD5                  Kx=RSA(512)    Au=RSA      Enc=RC4(40)              Mac=MD5    export         High Strength Ciphers (>= 112-bit key)      RC4-MD5                      Kx=RSA         Au=RSA      Enc=RC4(128)             Mac=MD5         RC4-SHA                      Kx=RSA         Au=RSA      Enc=RC4(128)             Mac=SHA1     The fields above are :    {OpenSSL ciphername}   Kx={key exchange}   Au={authentication}   Enc={symmetric encryption method}   Mac={message authentication code}   {export flag}

SSL Weak Cipher Suites Supported

Plugin Output:  Here is the list of weak SSL ciphers supported by the remote server :    Low Strength Ciphers (<= 64-bit key)      EXP-DES-CBC-SHA              Kx=RSA(512)    Au=RSA      Enc=DES-CBC(40)          Mac=SHA1   export          EXP-RC2-CBC-MD5              Kx=RSA(512)    Au=RSA      Enc=RC2-CBC(40)          Mac=MD5    export          EXP-RC4-MD5                  Kx=RSA(512)    Au=RSA      Enc=RC4(40)              Mac=MD5    export          DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-CBC(56)          Mac=SHA1     The fields above are :    {OpenSSL ciphername}   Kx={key exchange}   Au={authentication}   Enc={symmetric encryption method}   Mac={message authentication code}   {export flag}

SSL Medium Strength Cipher Suites Supported (SWEET32)

Plugin Output:    Medium Strength Ciphers (> 64-bit and < 112-bit key  or 3DES)      DES-CBC3-SHA                 Kx=RSA         Au=RSA      Enc=3DES-CBC(168)        Mac=SHA1     The fields above are :    {OpenSSL ciphername}   Kx={key exchange}   Au={authentication}   Enc={symmetric encryption method}   Mac={message authentication code}   {export flag}

 

Users needs to create an SSL server-policy and choose the secured cipher suit. Then link this newly created SSL server-policy to the ip https service.

However from my point of view, customer don’t need the http and https service as to configure and manage the switch as we use SSH.

Users can just disable the ip http and https service to mitigate this vulnerability.

Config Example for SSL:

 

==

ssl version ssl3.0 disable

ssl version tls1.0 disable

ssl server-policy myserverpolicy ciphersuite  dhe_rsa_aes_128_cbc_sha  dhe_rsa_aes_256_cbc_sha  exp_rsa_des_cbc_sha  rsa_3des_ede_cbc_sha  rsa_aes_128_cbc_sha  rsa_aes_256_cbc_sha  rsa_des_cbc_sha

ssl client-policy myclientpolicy prefer-cipher  dhe_rsa_aes_128_cbc_sha  dhe_rsa_aes_256_cbc_sha  exp_rsa_des_cbc_sha  rsa_3des_ede_cbc_sha  rsa_aes_128_cbc_sha  rsa_aes_256_cbc_sha  rsa_des_cbc_sha

==

                           

[5940-133-32-ssl-server-policy- myserverpolicy]ciphersuite ?

  dhe_rsa_aes_128_cbc_sha         Use the ciphersuit

                                  SSL_DHE_RSA_with_AES_128_CBC_SHA

  dhe_rsa_aes_128_cbc_sha256      Use the ciphersuit

                                  TLS_DHE_RSA_with_AES_128_CBC_SHA256

  dhe_rsa_aes_256_cbc_sha         Use the ciphersuit

                                  SSL_DHE_RSA_with_AES_256_CBC_SHA

  dhe_rsa_aes_256_cbc_sha256      Use the ciphersuit

                                  TLS_DHE_RSA_with_AES_256_CBC_SHA256

  ecdhe_ecdsa_aes_128_cbc_sha256  Use the ciphersuit

                                  TLS_ECDHE_ECDSA_with_AES_128_CBC_SHA256

  ecdhe_ecdsa_aes_128_gcm_sha256  Use the ciphersuit

                                  TLS_ECDHE_ECDSA_with_AES_128_GCM_SHA256

  ecdhe_ecdsa_aes_256_cbc_sha384  Use the ciphersuit

                                  TLS_ECDHE_ECDSA_with_AES_256_CBC_SHA384

  ecdhe_ecdsa_aes_256_gcm_sha384  Use the ciphersuit

                                  TLS_ECDHE_ECDSA_with_AES_256_GCM_SHA384

  ecdhe_rsa_aes_128_cbc_sha256    Use the ciphersuit

                                  TLS_ECDHE_RSA_with_AES_128_CBC_SHA256

  ecdhe_rsa_aes_128_gcm_sha256    Use the ciphersuit

                                  TLS_ECDHE_RSA_with_AES_128_GCM_SHA256

  ecdhe_rsa_aes_256_cbc_sha384    Use the ciphersuit

                                  TLS_ECDHE_RSA_with_AES_256_CBC_SHA384

  ecdhe_rsa_aes_256_gcm_sha384    Use the ciphersuit

                                  TLS_ECDHE_RSA_with_AES_256_GCM_SHA384

  exp_rsa_des_cbc_sha             Use the ciphersuit

                                  SSL_RSA_export_with_DES_CBC_SHA

  exp_rsa_rc2_md5                 Use the ciphersuit

                                  SSL_RSA_export_with_RC2_CBC_40_MD5

  exp_rsa_rc4_md5                 Use the ciphersuit

                                  SSL_RSA_export_with_RC4_40_MD5

  rsa_3des_ede_cbc_sha            Use the ciphersuit

                                  SSL_RSA_with_3DES_EDE_CBC_SHA

  rsa_aes_128_cbc_sha             Use the ciphersuit

                                  SSL_RSA_with_AES_128_CBC_SHA

  rsa_aes_128_cbc_sha256          Use the ciphersuit

                                  TLS_RSA_with_AES_128_CBC_SHA256

  rsa_aes_256_cbc_sha             Use the ciphersuit

                                  SSL_RSA_with_AES_256_CBC_SHA

  rsa_aes_256_cbc_sha256          Use the ciphersuit

                                  TLS_RSA_with_AES_256_CBC_SHA256

  rsa_des_cbc_sha                 Use the ciphersuit SSL_RSA_with_DES_CBC_SHA

  rsa_rc4_128_md5                 Use the ciphersuit SSL_RSA_with_RC4_128_MD5

  rsa_rc4_128_sha                 Use the ciphersuit SSL_RSA_with_RC4_128_SHA

 

 


I work for HPEAccept or Kudo
1 REPLY 1
parnassus
Honored Contributor

Re: HPE Switch - SSL Vulnerabilities.

Hi @jmpk, is it a recognized security vulnerability (recognized = there is a specific HPE/Aruba Security Bullettin about it or is cited on an already published HPE/Aruba Security Bullettin)? If so what HPE/Aruba Security Bullettin should be read to understand workarounds, if any?


I'm not an HPE Employee
Kudos and Accepted Solution banner